Jail source address selection broken, patch for ping

Mark Felder feld at feld.me
Mon Apr 9 20:11:59 UTC 2012 

On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. Díaz y Díaz  
<jfd at mrecic.gov.ar> wrote:

> Mark, you can just run a jail with the setfib utility so you don't need  
> to modify all your scripts.

I don't think anyone here is understanding the issue and forcing a routing  
table will not help.

root at jailhost:/# jls -v
    JID  Hostname                      Path
         Name                          State
         CPUSetID
         IP Address(es)
      3  xymon.xxxxxx.net            /usr/jails/xymon.xxxxxx.net
         3                             ACTIVE
         2
         66.xxx.xxx.xxx
         192.168.89.xxx  <-- different vlans for each
         192.168.93.xxx
         192.168.94.xxx
         192.168.95.xxx
         192.168.96.xxx
         192.168.97.xxx


root at jailhost:/# ifconfig   (edited output)
vlan989: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
         options=103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 989 parent interface: bce1
vlan993: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
         options=103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 993 parent interface: bce1
vlan994: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
         options=103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 994 parent interface: bce1
vlan996: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
         options=103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 996 parent interface: bce1
vlan997: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
         options=103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa
         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 997 parent interface: bce1





All of these vlan interfaces go into a SINGLE jail. Setting the fib will  
not help; the jail already has the default routing table. The problem is  
that you can't access these different VLANs with many network utilities  
because it sets your source IP in the packet as the first IP the jail has  
bound to it: 66.xxx.xxx.xxx

More information about the freebsd-jail mailing list